U.S. Department of the Interior 
PRIVACY IMPACT ASSESSMENT 





Introduction 


The Department of the Interior requires PIAs to be conducted and maintained on all IT systems whether already 
in existence, in development or undergoing modification in order to adequately evaluate privacy risks, ensure 
the protection of privacy information, and consider privacy implications throughout the information system 
development life cycle. This PIA form may not be modified and must be completed electronically; hand- 
written submissions will not be accepted. See the DOI PIA Guide for additional guidance on conducting a PIA 
or meeting the requirements of the E-Government Act of 2002. See Section 6.0 of the DOI PIA Guide for 
specific guidance on answering the questions in this form. 


NOTE: See Section 7.0 of the DOI PIA Guide for guidance on using the DOI Adapted PIA template to assess 
third-party websites or applications. 


Name of Project: Appraisal and Valuation Information System (AVIS) 
Bureau/Office: Office of the Secretary (OS), Appraisal and Valuation Services Office (AVSO) 


Date: September 30, 2021 


Point of Contact 

Name: Danna Mingo 

Title: OS Departmental Offices Associate Privacy Officer 

Email: OS_Privacy@ios.doi.gov 

Phone: (202) 441-5504 

Address Line: 1849 C Street NW, Room 7112, Washington, DC 20240 


Section 1. General System Information 
A. Isa full PIA required? 


Yes, information is collected from or maintained on 
Members of the general public 
Federal personnel and/or Federal contractors 
O Volunteers 
O All 


O No: 
B. What is the purpose of the system? 
AVIS is a cloud-based client-accessible web application which provides a common form for submission 


of real property appraisal service requests to the Department of the Interior (DOI) AVSO that support 
the mission-related business operations. 
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AVSO supports the real estate appraisal and mineral evaluation functions for DOI bureaus and offices, 
including the Bureau of Indian Affairs (BIA), Bureau of Trust Funds Administration (BTFA), Bureau of 
Land Management (BLM), Bureau of Reclamation (BOR), U.S. Fish and Wildlife Service (FWS), and 
the National Park Service (NPS). Valuation service requests are entered into AVIS by the DOI Client 
Bureaus. The information provided originates from real estate records maintained by the client bureaus 
and is used by AVSO for case management purposes. The case information enables AVSO staff to 
evaluate the nature of the service request, prepare a statement of work that may be used by staff or a 
contractor to complete a mineral evaluation, appraise the land, and review the resulting reports generated 
as part of the service(s) requested. 


AVSO uses the AVIS application as a case management system to track and report the valuation service 
requests. The information provided by the clients is obtained from systems and/or records that the clients 
manage. Real estate ownership, location, and physical attributes are essential data elements provided in 
a client request and are maintained as part of the AVIS case record. The AVIS system provides for 
efficient management of the AVSO program of work and is restricted to named user access based on a 
valid business need. 


The user community has access to AVIS which may contain sensitive personally identifiable information 
(PII), however, it is the responsibility of the provider, data owner, or individual to protect the information 
and meet requirements under the Privacy Act and Federal law and policy. 


This AVIS system application is provided to DOI as a Software as a Services (SaaS) that is owned and 
operated by Salesforce.com. Salesforce.com is a cloud service provider that houses the system 
infrastructure and application. Salesforce.com is a FedRAMP authorized provider that manages the 
database, operating system, hardware and software, and has implemented security controls based on 
National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 control 
standards and General Services Administration requirements. 


. What is the legal authority? 


The Economy Act, 31 U.S.C.1535; the Uniform Relocation Assistance and Real Property Acquisition 
for Federal and Federally Assisted Programs (Uniform Act), 49 CFR Part 24; the Paperwork Reduction 
Act of 1995, 44 U.S.C. Chapter 35; Federal Agency Responsibilities, 44 U.S.C. 3506; the Clinger- 
Cohen Act of 1996, 40 U.S.C. 1401 et seq; the E-Government Act of 2002, 44 U.S.C. 101; Federal 
Information Security Modernization Act of 2014, 44 U.S.C. 3554; OMB Circular A-130, Managing 
Information as a Strategic Resource; and OMB Circular A-127, Policies and Standards for Financial 
Management Systems. 


. Why is this PIA being completed or modified? 


O New Information System 
O New Electronic Collection 
O Existing Information System under Periodic Review 
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L Merging of Systems 

Significantly Modified Information System 
L Conversion from Paper to Electronic Records 
O Retiring or Decommissioning a System 

O Other: Describe: 


E. Is this information system registered in CSAM? 
Yes: 
010-000000699; Appraisal and Valuation Information System Security and Privacy Plan 
O No 


F. List all minor applications or subsystems that are hosted on this system and covered under this 
privacy impact assessment. 








Subsystem Name Purpose Contains PII Describe 
(Yes/No) If Yes, provide a 
description. 
None None No N/A 




















G. Does this information system or electronic collection require a published Privacy Act System of 
Records Notice (SORN)? 


Yes: 
A SORN is under development for AVIS. 
LI No 

H. Does this information system or electronic collection require an OMB Control Number? 
O Yes: 
No 

Section 2. Summary of System Data 
A. What PII will be collected? Indicate all that apply. 


Name 
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Personal Cell Telephone Number 
Tribal or Other ID Number 
Personal Email Address 

Home Telephone Number 
Mailing/Home Address 

Other: 


The information provided in the system relates to real or mineral property estates to be valued. 
Ownership interests are held by the Federal government, State and local government, Indian Trust or 
Tribally owned properties, and private entities. AVIS maintains information about property owners, 
which may include name, physical address, mailing address, tax map and lot numbers, legal (property) 
description, information on public documents, such as book and page numbers for deeds, 
encumbrances, and other recorded documents. The system also contains information about businesses 
by sole proprietors who operate under their own names, and information concerning these sole 
proprietors could include name, business address, business mailing address, business telephone 
numbers, and business email address. The personal and contact information in the system is largely 
available through public sources and is provided as part of the request submitted by the client bureau. In 
the case of appraisers, only business contact information that is available through a wide range of public 
sources is collected. For individual private property owners, information obtained is publicly available 
through municipal tax records and public land recordings held by municipal clerks, registry of deeds, or 
courts. Copies of this information is collected by the client bureau and included in the service request 
submitted through AVIS. 


. What is the source for the PII collected? Indicate all that apply. 


Individual 
Federal agency 
Tribal agency 
Local agency 
DOI records 
Third party source 
State agency 
Other: 


AVIS application which may contain sensitive PII must meet the requirements under the Privacy Act 
and Federal law and policy. Information about contractors is obtained from the National Registry’s 
Appraisal Subcommittee directory or directly from the contractor through the Federal procurement 
process. Property owner information is provided to AVIS by the client bureau. The client bureau obtains 
property owner information from public records such as local assessors and real estate tax offices, 
register of deeds, or the BIA Trust Asset and Accounting Management System (TAAMS) database for 
Indian Trust records and property that is allottee trust or Tribally owned. It is important to note that 
Indian Trust Records are not publicly available. 
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AVIS users may post information, documents, spreadsheets, PDFs, graphics, etc. to share or collaborate 
via a secure, encrypted cloud-based web site. 


The information provided by the client is required for AVSO staff to comply with national profession 
standards and state licensing laws relating to valuation services. AVSO staff will notify the client if 
there are discrepancies noted in the data provided in AVIS request to ensure accuracy. 


. How will the information be collected? Indicate all that apply. 


Paper Format 

Email 

Face-to-Face Contact 

Web site 

O Fax 

Telephone Interview 

Information Shared Between Systems - Lookup to TAAMS real estate records for Indian Trust 
Property requests 

Other: Describe 


In addition to entering specific data fields, the client will upload electronic documents attachments to 
complete a new request in AVIS. Alternatively, clients located in remote areas may submit paper request 
information and document attachments that will be received and entered by AVSO staff as a new AVIS 
request on behalf of the client. 


. What is the intended use of the PII collected? 


The AVSO staff utilizes the information provided or collected to engage with assigned qualified 
contractors, locate the property that is the subject of the request, and to coordinate an inspection of the 
property with the property owner in order to comply with professional appraisal standards and State 
licensing laws. Access to the information is limited to only the DOI staff and contractor engaged in the 
completion of the specific assignment request. PII contained in AVIS supports mission-related 
business functions and operations. 


. With whom will the PII be shared, both within DOI and outside DOI? Indicate all that apply. 
Within the Bureau/Office: 


Data is utilized by authorized AVSO acting in their official capacity to complete day to day operations 
and processes involved with the mission fulfillment and service delivery to client entities. 
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AVSO staff are assigned to a specific case and will have access to all information submitted by the 
client for that case. The supervisor of the assigned AVSO staff and AVSO managers have view access 
of all case records for their subordinates. 


Other Bureaus/Offices: 
Data may be shared with the AVSO client bureaus and offices to include: BIA, BLM, BOR, BTFA, 
FWS, and NPS. Only employees of DOI bureaus/offices who use AVIS in performing their job duties are 


given user-level access. Bureau/office officials who use AVIS have access only to records submitted by 
their bureau/office for related program activities such as real estate transaction negotiations. 


O Other Federal Agencies: 
Tribal, State or Local Agencies: 


Tribes may act as a client under PL 93-638. AVIS access is limited to only those records related to a 
specific request submitted by the named user for authorized program purposes. 


Contractor: 


Contract appraisers may be used to supplement AVSO staff in the completion of a specific assignment. 
Information contained within the AVIS case record is confidentially made available to the contractor for 
the expressed purpose of providing professional services to DOI related to that particular case. 


Other Third-Party Sources: 


Non-governmental organizations (NGOs) may be used to supplement Bureau Realty staff in the 
completion of a specific assignment. Information contained within the AVIS case record is confidentially 
made available to the NGO for the expressed purpose of providing professional services to DOI related 
to that particular case. 


. Do individuals have the opportunity to decline to provide information or to consent to the specific 
uses of their PIT? 


Yes: 

For private landowners, entering the valuation process and engaging in a property transaction is a 
voluntary process. Property owners have the right to decline to participate in the process and not to 
provide personal contact information. However, for landowners who enter the valuation process, the 


information is required by the bureau or office requesting the valuation. 


O No: 
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G. What information is provided to an individual when asked to provide PII data? Indicate all that 
apply. 


Privacy Act Statement: 


Bureaus and offices have the option of using forms to collect information, such as Standard Form 299, 
Applications for Transportation and Utility Systems and Facilities on Federal Lands, to manually input 
the information into the IVIS system. There are some bureaus and offices that use a bureau/office 
specific form to collect information, and these bureaus and offices are responsible for ensuring their 
forms contain required Privacy Act Statements or a privacy notice when PII is collected. 


Privacy Notice: Describe each applicable format. 


Notice is provided through publication of this privacy impact assessment. 


O Other: 
O None 


H. How will the data be retrieved? List the identifiers that will be used to retrieve information (e.g., 
name, case number, etc.). 
Keyword search by Name, Case Number, AVIS Project Number, Tract Number, or Case Property will 


be only available to authorized AVIS users. 
I. Will reports be produced on individuals? 
Yes: 


Reports may be produced for various mission related purposes on individuals by authorized DOI 
staff. Internal reports may be used for official purposes or as required by Federal law, regulatory 
statutes, and in accordance with the applicable legal authorities. Reports may be generated for 
tracking work and managing accounts by authorized staff within AVSO. 


The reports will include information such as work in progress, completed assignments, and various 
process metrics attributed to assignments. The purpose or intended use of the report is to effectively 
manage the AVSO program of work and identify opportunities for process improvement. Only 
authorized AVSO AVIS users will have the ability to query and run reports. 


O No 
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Section 3. Attributes of System Data 
A. How will data collected from sources other than DOI records be verified for accuracy? 


Data received directly from individuals is presumed to accurate at the time of submission and 
individuals have the ability to update their information to ensure it remains accurate. The data collected 
through manual intake are required to be verified by the person providing the information. AVSO staff 
can identify discrepancies and notify the AVIS System Administrator using the AVIS Helpdesk 
Ticketing system. 


B. How will data be checked for completeness? 


When a valuation request is entered into AVIS, there are automated validation mechanisms to ensure 
that required information fields are completed. Certain data fields are subject to additional validation to 
ensure that the proper type of data is entered. Document attachments are reviewed by AVSO staff for 
completeness whenever a new service request is submitted. 


Data may be checked for completeness by authorized users entering the data into AVIS for 
completeness and they are responsible for ensuring the information is correct by verifying the 
information at the time it is collected or received; and authorized users that review data in AVIS are 
responsible for the completeness of the data provided. 


C. What procedures are taken to ensure the data is current? Identify the process or name the 
document (e.g., data models). 


The assignment cycle times are typically 150 days or less, therefore, information provided at the 
beginning of each case is current. The record may be updated by the system user or administrator 
during the completion of the assignment as necessary. 


D. What are the retention periods for data in the system? Identify the associated records retention 
schedule for the records in this system. 


There are two record types in AVIS used to identify case records so that the appropriate records 
retention schedule can be administered. BIA 6200 series — Appraisal Services applies to Indian Trust 
AVIS Record type and they have a permanent disposition. DOI 7503.3 Valuation Service — Case/Work 
files applies to Federal Lands AVIS record type and have a 5-year disposition, or 2 years after the 
completion of litigation, whichever is longer. When a case completes the closeout status, the AVIS 
system automatically sends a copy of the case record to the DOI ECS/eERDMS system for electronic 
storage where it is managed to appropriate NARA requirements. ECS/eERDMS returns a folder link to 
the AVIS case record. The document attachments will be removed from the AVIS case record after 5 
years while the case record data and ECS/eERDMS will be maintained for 25 years from cutoff. 
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E. What are the procedures for disposition of the data at the end of the retention period? Where are 
the procedures documented? 


AVIS is integrated with ECS/eERDMS, DOI’s enterprise record management system which provides 
streamlined life cycle records management. Records in ECS/eERDMS are disposed of in accordance 
with NARA schedules and DOI records management policies. In AVIS, the documents attached to the 
case record will be removed by a System Administrator at the end of the fiscal year, 5 years after the 
case closed (Cutoff) date. AVIS case record data will be maintained in AVIS by the System 
Administrator for 25 years from the case closed (Cutoff) date. 


F. Briefly describe privacy risks and how information handling practices at each stage of the 
“information lifecycle” (i.e., collection, use, retention, processing, disclosure and destruction) affect 
individual privacy. 


There are privacy risks for using AVIS related to lack of notice, collection, use, retention, processing, 
disclosure, and destruction, which are mitigated by having end-to-end data encryption including data at 
rest and other controls. Record access is only provisioned to named users that need access to the 
information for appropriate business/program use. Furthermore, Client Bureaus and offices establish 
processes to ensure that a Privacy Act Statement or Privacy Notice are embedded in the official forms 
used to collect PII. 


The data in AVIS is used by AVSO for valuation program purposes at the request of DOI Client 
Bureaus. AVIS records are also subject to the requirements of the Freedom of Information Act. 


AVIS is a FISMA moderate application and is provided to DOI as a SaaS hosted by Salesforce.com, a 
cloud service provider that is FedRAMP authorized. The AVIS system currently resides in a Federal 
single tenant cloud. AVIS maintains actionable audit logs for all transactions which are accessible and 
reviewed by the authorized AVIS System Administrator. All DOI personnel (AVIS Users) are required 
to complete initial and annual privacy, security and records management training, and sign DOI Rules of 
Behavior. 


Section 4. PIA Risk Review 


A. Is the use of the data both relevant and necessary to the purpose for which the system is being 
designed? 


Yes: 


The use of AVIS is relevant and necessary to perform necessary mission critical functions. The mission 
of AVSO is to provide valuation services to all DOI Bureaus to support a wide range of real estate 
related programs. Professional appraisal standards and State licensing laws require proper identification 
of the property, the property owner, and property owner contact information. The system provides 
workflow, analytical tools and data storage that allows for the accomplishment of these tasks as per the 
mission. 
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O No 


. Does this system or electronic collection derive new data or create previously unavailable data 
about an individual through data aggregation? 


O Yes: 
No 
. Will the new data be placed in the individual’s record? 


O Yes: 
No 


. Can the system make determinations about individuals that would not be possible without the new 
data? 


O Yes: 
No 


. How will the new data be verified for relevance and accuracy? 


AVIS does not derive new data or create previously unavailable data about an individual through data 
aggregation. 


. Are the data or the processes being consolidated? 
O Yes, data is being consolidated 
O Yes, processes are being consolidated. 


No, data or processes are not being consolidated. 
. Who will have access to data in the system or electronic collection? Indicate all that apply. 


Users 

Contractors 
XIDevelopers 

System Administrator 
O Other: 
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. How is user access to data determined? Will users have access to all data or will access be 
restricted? 


AVIS system access is restricted to authorized users based on least privilege principle to perform 
services. Record access is defined by roles, profiles and permissions assigned to each user by the AVIS 
System Administrator. Property owners do not have access to the system. Users that have been inactive 
for 90 days will have their user account disabled. 


Are contractors involved with the design and/or development of the system, or will they be 
involved with the maintenance of the system? 


Yes. 
The appropriate privacy clauses and provisions were included in the contract with Salesforce. 
LI No 


Is the system using technologies in ways that the DOI has not previously employed (e.g., 
monitoring software, SmartCards or Caller ID)? 


O Yes. 
No 


. Will this system provide the capability to identify, locate and monitor individuals? 
Yes. 
The AVIS audit log collects information on the date and time of the event that occurred, where the event 


occurred, the source of the event, the outcome (success or failure) of the event, and the identity of any 
user or subject associated with the event. 


LI No 

. What kinds of information are collected as a function of the monitoring of individuals? 

AVIS audit log collects information on when (date and time) the event occurred, where the event 
occurred, the source of the event, the outcome (success or failure) of the event, and the identity of any 
user/subject associated with the event. Salesforce provides auditing for AVIS systems including but not 


limited to successful login, unsuccessful login, account management, policy change, privileged 
functions and system events. 
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M. What controls will be used to prevent unauthorized monitoring? 


AVIS security is controlled by groups of users. Groups of users are designated to view data within the 
AVIS platform, and are reviewed and managed by authorized AVIS System Administrators. Audit logs 
further ensure protection of data through consistent audit log monitoring. The audit logs are monitored 
periodically by the System Owner and Information System Security Officer. 


N. How will the PII be secured? 
(1) Physical Controls. Indicate all that apply. 


Security Guards 

Key Guards 

Locked File Cabinets 
Secured Facility 
Closed Circuit Television 
CL) Cipher Locks 
Identification Badges 
O Safes 

O Combination Locks 
Locked Offices 
Other. Describe 


The Salesforce FedRAMP documentation describes the applicable physical controls. 


(2) Technical Controls. Indicate all that apply. 


L] Password 

Firewall 

Encryption 

User Identification 

O Biometrics 

Intrusion Detection System (IDS) 

Virtual Private Network (VPN) 

Public Key Infrastructure (PKI) Certificates 
Personal Identity Verification (PIV) Card 
Other. 


The Salesforce FedRAMP documentation describes the applicable technical controls. 
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(3) Administrative Controls. Indicate all that apply. 


Periodic Security Audits 

Backups Secured Off-site 

Rules of Behavior 

Role-Based Training 

Regular Monitoring of Users’ Security Practices 

Methods to Ensure Only Authorized Personnel Have Access to PII 
Encryption of Backups Containing Sensitive Data 

Mandatory Security, Privacy and Records Management Training 
Other. 


The Salesforce FedRAMP documentation describes the applicable administrative controls. 


O. Who will be responsible for protecting the privacy rights of the public and employees? This 
includes officials responsible for addressing Privacy Act complaints and requests for redress or 
amendment of records. 


The Valuation Systems Manager, Appraisal and Valuation Services Office is the AVIS Information 
System Owner (SO) and the official responsible for oversight and management of the AVIS security 
controls and the protection of customer agency information processed and stored by the AVIS system. 
The Information System Owner, Information System Security Officer, and the AVIS Privacy Act 
System Manager are responsible for ensuring adequate safeguards are implemented to protect individual 
privacy and providing adequate notice, making decisions on Privacy Act requests for notification, 
access, and amendment, as well as processing complaints, in consultation with DOI Privacy Officials. 
These officials and authorized AVIS personnel are responsible for protecting individual privacy for the 
information collected, maintained, and used in the system, and for meeting the requirements of the 
Privacy Act and other Federal laws and policies for the data managed, used, and stored in AVIS. 


P. Who is responsible for assuring proper use of the data and for reporting the loss, compromise, 
unauthorized disclosure, or unauthorized access of privacy protected information? 


The AVIS SO is responsible for daily operational oversight and management of the system’s security, 
privacy controls, and ensuring to the greatest possible extent that agency data is properly managed and 
that all access to agency data has been granted in a secure and auditable manner. The SO, Information 
System Security Officer, and authorized users are responsible for ensuring that any loss, compromise, 
unauthorized access or disclosure of PII is reported to DOI-CIRC, DOI’s incident reporting portal, and 
appropriate DOI officials in accordance with Federal policy and established DOI procedures. 


13 


